#dependencyconfusion — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #dependencyconfusion, aggregated by home.social.
-
AI-generated code could be a disaster for the software supply chain. Here’s why. - AI-generated computer code is rife with references to non-existent third-p... - https://arstechnica.com/security/2025/04/ai-generated-code-could-be-a-disaster-for-the-software-supply-chain-heres-why/ #packageconfusion.packagehallucination #dependencyconfusion #supplychainattac #security #biz #ai
-
"CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package"
#security #infosec #cybersecurity #dependencyconfusion #supplychain
-
Over 100,000 Infected Repos Found on GitHub
https://apiiro.com/blog/malicious-code-campaign-github-repo-confusion-attack/
-
Using dependabot to convert internal dependencies into public, attacker-controlled ones, using dependency-confusion. Wow, nice find!
-
Backdoor in public repository used new form of attack to target big firms - Enlarge (credit: Getty Images)
A backdoor that researchers fou... - https://arstechnica.com/?p=1853739 #dependencyconfusion #repositories #opensource #biz&it
-
> Birsan began hunting for names of private internal packages that he could find in manifest files on GitHub repositories or in CDNs of prominent companies but did not exist in a public open-source repository.
Wow.
[ . . . ]
> In some cases, as with PyPI packages, the researcher noticed that the package with the higher version would be prioritized regardless of wherever it was located.
> Using this technique, Birsan executed a successful supply chain attack against Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, and Uber simply by publishing public packages using the same name as the company's internal ones.
#SupplyChainAttack #DependencyConfusion -
This Week in Security: APT Targeting Researchers, and Someone Watching All the Cameras - Microsoft’s Patch Tuesday just passed, and it’s a humdinger. To add the cherry on top, two seperate ... - https://hackaday.com/2021/03/12/this-week-in-security-apt-targeting-researchers-and-someone-watching-all-the-cameras/ #dependencyconfusion #hackadaycolumns #securityhacks #patchtuesday #exchange
-
More top-tier companies targeted by new type of potentially serious attack - Enlarge (credit: Getty Images)
A new type of supply chain attack unveiled last month is targeting... - https://arstechnica.com/?p=1747637 #dependencyconfusion #networkcompromise #supplychain #malware #biz&it #tech -
"In this post, I demonstrate that critical parts of the #Haskell package management system are vulnerable to the #DependencyConfusion supply chain attack." #security #cabal #hackage
https://frasertweedale.github.io/blog-fp/posts/2021-02-12-haskell-dependency-confusion.html
-
Ein Sicherheitsforscher demonstriert, wie er mit vergleichsweise wenig Aufwand seinen Fuß in Systeme von beispielsweise Apple, Netflix und Tesla setzen konnte.
Sicherheitsforscher bricht über Open-Source-Repositories bei PayPal & Co. ein